Version 1.0
This document describes security vulnerabilities that were addressed through software changes. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2018-12006, CVE-2018-12010, CVE-2018-12011, CVE-2018-13893 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/overview/acknowledgements/ for individual credit information. |
Table of vulnerabilities
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2018-12006 | Medium | Display | 5/16/2018 |
| CVE-2018-11962 | High | Audio | Internal |
| CVE-2018-12010 | Medium | Core Services | 6/19/2018 |
| CVE-2018-12011 | Medium | Qualcomm IPC | 6/27/2018 |
| CVE-2018-12014 | High | Data Network Stack & Connectivity | Internal |
| CVE-2018-13889 | High | GPS AP-Linux | Internal |
| CVE-2018-13893 | Medium | Core Services | 7/24/2018 |
CVE-2018-12006
| CVE ID | CVE-2018-12006 |
| Title | Information Exposure in Display |
| Description | Users with no extra privileges can potentially access leaked data due to uninitialized padding present in display function. |
| Technology Area | Display |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/16/2018 |
| Customer Notified Date | 10/1/2018 |
| Patch |
CVE-2018-11962
| CVE ID | CVE-2018-11962 |
| Title | Use After Free in Audio |
| Description | Heap-use-after-free issue while loading audio effects config in audio effects factory. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 10/1/2018 |
| Patch |
CVE-2018-12010
| CVE ID | CVE-2018-12010 |
| Title | Stack-based Overflow in Core |
| Description | Absence of length sanity check may lead to possible stack overflow resulting in memory corruption in trustzone region. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/19/2018 |
| Customer Notified Date | 10/1/2018 |
| Patch |
CVE-2018-12011
| CVE ID | CVE-2018-12011 |
| Title | Information Exposure in Core |
| Description | Uninitialized data for socket address leads to information exposure. |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/27/2018 |
| Customer Notified Date | 10/1/2018 |
| Patch |
CVE-2018-12014
| CVE ID | CVE-2018-12014 |
| Title | Use After Free in HLOS Data |
| Description | A dangling pointer can be dereferenced in HLOS Data. |
| Technology Area | Data Network Stack & Connectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 10/1/2018 |
| Patch |
CVE-2018-13889
| CVE ID | CVE-2018-13889 |
| Title | Use After Free in GPS |
| Description | Heap memory was accessed after it was freed. |
| Technology Area | GPS AP-Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 10/1/2018 |
| Patch |
CVE-2018-13893
| CVE ID | CVE-2018-13893 |
| Title | Untrusted Pointer Dereference in DIAG Services |
| Description | Out of bound mask range access caused by using possible old value of msg mask table count while copying masks to userspace. |
| Technology Area | Core Services |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/24/2018 |
| Customer Notified Date | 10/1/2018 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | January 7, 2019 | Bulletin Published |